Personal data including the bank details of over two million Carphone Warehouse customers is at risk after the firm revealed that it has been breached by a “sophisticated cyber attack.”
A notice posted on the mobile phone vendor’s website on 8 August claimed that the breach was first discovered three days previously, after which the firm launched an investigation into the incident and put in “additional security measures” to prevent further attacks.
The brands affected by the UK-based hack include OneStopPhoneShop.com, e2save.com and Mobiles.co.uk as well as iD Mobile, TalkTalk Mobile, Talk Mobile and Carphone Warehouse.
The firm reassured customers that the “vast majority” of their data was safe and stored on separate systems, as is data on customers of Currys and PCWorld.
It explained:
“Our investigation has indicated that personal data which may include name, address, date of birth and bank details of up to 2.4 million customers may have been accessed. Encrypted credit card data of up to 90,000 customers may also have been accessed. We and our partners are contacting all those customers who may have been affected to inform them of the breach and to give them advice to reduce any risk and minimize inconvenience.”
Carphone Warehouse urged all affected customers to closely monitor their bank accounts for unusual activity, and to be wary of anyone calling to ask for passwords, bank details or other personal information.
Veracode principal solution architect, John Smith, argued the incident showed the importance of “strategic and systematic thinking” when approaching data security.
“Whilst a positive response following a cyber attack, it is important that businesses don’t wait to be hacked before putting the appropriate security measures in place,” he added. “Businesses need to take a broader, more strategic approach to cyber security to ensure the safe guarding of their customers’ data.”
Accellion EMEA general manager, Keith Poyser, argued that cyber security needs to span several company-wide disciplines including technology, training, and governance.
“To mitigate the risk of a breach, cyber security ultimately has to become a part of an enterprise’s culture and it must touch every segment of that enterprise,” he added. “The good news is there are a number of steps organizations can take to lessen the chances of a cyber attack.”
Check Point technical director, Thierry Karsenti, warned that phishing attacks would likely follow on the back of this attack.
“For the attackers, it’s just a numbers game, but it could have serious consequences for customers,” he said.
“Phishing emails continue to be the most common source for social engineering attacks, so customers should be suspicious of any emails, or even phone calls, that relate to the breach, and should not give away more information.”